#include "ctdl_module.h"
#ifdef HAVE_OPENSSL
-SSL_CTX *ssl_ctx; // SSL context for all sessions
+SSL_CTX *ssl_ctx = NULL; // This SSL context is used for all sessions.
+char *ssl_cipher_list = CIT_CIPHERS;
// If a private key does not exist, generate one now.
void generate_key(char *keyfilename) {
FILE *fp;
if (access(keyfilename, R_OK) == 0) { // Already have one.
+ syslog(LOG_INFO, "crypto: %s exists and is readable", keyfilename);
return;
}
FILE *fp;
if (access(certfilename, R_OK) == 0) { // already have one.
+ syslog(LOG_INFO, "crypto: %s exists and is readable", certfilename);
return;
}
X509_free(certificate);
EVP_PKEY_free(public_key);
- // RSA_free(private_key); // private_key is freed by EVP_PKEY_free() above
+ // do not RSA_free(private_key); because it was freed by EVP_PKEY_free() above
}
// This is called during initialization, and can be called again later if the certificate changes.
void bind_to_key_and_certificate(void) {
+ SSL_CTX *old_ctx = NULL;
+ SSL_CTX *new_ctx = NULL;
+
+ const SSL_METHOD *method = SSLv23_server_method();
+ if (!method) {
+ syslog(LOG_ERR, "crypto: SSLv23_server_method() failed: %s", ERR_reason_error_string(ERR_get_error()));
+ return;
+ }
+
+ new_ctx = SSL_CTX_new(method);
+ if (!new_ctx) {
+ syslog(LOG_ERR, "crypto: SSL_CTX_new failed: %s", ERR_reason_error_string(ERR_get_error()));
+ return;
+ }
+
+ if (!(SSL_CTX_set_cipher_list(new_ctx, ssl_cipher_list))) {
+ syslog(LOG_ERR, "crypto: SSL_CTX_set_cipher_list failed: %s", ERR_reason_error_string(ERR_get_error()));
+ return;
+ }
+
syslog(LOG_DEBUG, "crypto: using certificate chain %s", file_crpt_file_cer);
- SSL_CTX_use_certificate_chain_file(ssl_ctx, file_crpt_file_cer);
+ if (!SSL_CTX_use_certificate_chain_file(new_ctx, file_crpt_file_cer)) {
+ syslog(LOG_ERR, "crypto: SSL_CTX_use_certificate_chain_file failed: %s", ERR_reason_error_string(ERR_get_error()));
+ return;
+ }
syslog(LOG_DEBUG, "crypto: using private key %s", file_crpt_file_key);
- SSL_CTX_use_PrivateKey_file(ssl_ctx, file_crpt_file_key, SSL_FILETYPE_PEM);
- if ( !SSL_CTX_check_private_key(ssl_ctx) ) {
- syslog(LOG_ERR, "crypto: cannot install certificate: %s", ERR_reason_error_string(ERR_get_error()));
- }
+ if (!SSL_CTX_use_PrivateKey_file(new_ctx, file_crpt_file_key, SSL_FILETYPE_PEM)) {
+ syslog(LOG_ERR, "crypto: SSL_CTX_use_PrivateKey_file failed: %s", ERR_reason_error_string(ERR_get_error()));
+ return;
+ }
+
+ old_ctx = ssl_ctx;
+ ssl_ctx = new_ctx; // All future binds will use the new certificate
+
+ if (old_ctx != NULL) {
+ sleep(1); // Hopefully wait until all in-progress binds to the old certificate have completed
+ SSL_CTX_free(old_ctx);
+ }
}
}
if ((keystat.st_mtime + certstat.st_mtime) != previous_mtime) {
+ begin_critical_section(S_OPENSSL);
bind_to_key_and_certificate();
+ end_critical_section(S_OPENSSL);
previous_mtime = keystat.st_mtime + certstat.st_mtime;
}
}
-// Initialize the SSL/TLS subsystem.
+// Initialize the TLS subsystem.
void init_ssl(void) {
- SSL_library_init(); // Initialize SSL transport layer
+
+ // Initialize the OpenSSL library
+ SSL_library_init();
SSL_load_error_strings();
- if (!(ssl_ctx = SSL_CTX_new(SSLv23_server_method()))) {
- syslog(LOG_ERR, "crypto: SSL_CTX_new failed: %s", ERR_reason_error_string(ERR_get_error()));
- return;
- }
- if (!(SSL_CTX_set_cipher_list(ssl_ctx, CIT_CIPHERS))) {
- syslog(LOG_ERR, "crypto: No ciphers available");
- SSL_CTX_free(ssl_ctx);
- ssl_ctx = NULL;
- return;
- }
+ // Load (or generate) a key and certificate
mkdir(ctdl_key_dir, 0700); // If the keys directory does not exist, create it
generate_key(file_crpt_file_key); // If a private key does not exist, create it
generate_certificate(file_crpt_file_key, file_crpt_file_cer); // If a certificate does not exist, create it
bind_to_key_and_certificate(); // Load key and cert from disk, and bind to them.
- // Finally let the server know we're here
- CtdlRegisterProtoHook(cmd_stls, "STLS", "Start SSL/TLS session");
- CtdlRegisterProtoHook(cmd_gtls, "GTLS", "Get SSL/TLS session status");
+ // Register some Citadel protocol commands for dealing with encrypted sessions
+ CtdlRegisterProtoHook(cmd_stls, "STLS", "Start TLS session");
+ CtdlRegisterProtoHook(cmd_gtls, "GTLS", "Get TLS session status");
CtdlRegisterSessionHook(endtls, EVT_STOP, PRIO_STOP + 10);
}
long errval;
errval = SSL_get_error(CC->ssl, retval);
- if (errval == SSL_ERROR_WANT_READ ||
- errval == SSL_ERROR_WANT_WRITE) {
+ if (errval == SSL_ERROR_WANT_READ || errval == SSL_ERROR_WANT_WRITE) {
sleep(1);
continue;
}
}
else {
int n = 0;
- if ((pch > ChrPtr(IOBuf)) &&
- (*(pch - 1) == '\r')) {
+ if ((pch > ChrPtr(IOBuf)) && (*(pch - 1) == '\r')) {
n = 1;
}
- StrBufAppendBufPlain(Line, pos,
- (pch - pos - n), 0);
+ StrBufAppendBufPlain(Line, pos, (pch - pos - n), 0);
if (StrLength(IOBuf) <= (pch - ChrPtr(IOBuf) + 1)) {
FlushStrBuf(IOBuf);
*Pos = NULL;
}
- else
+ else {
*Pos = pch + 1;
+ }
return StrLength(Line);
}
}
pLF = NULL;
- while ((nSuccessLess < timeout) &&
- (pLF == NULL) &&
- (CC->ssl != NULL)) {
+ while ((nSuccessLess < timeout) && (pLF == NULL) && (CC->ssl != NULL)) {
rlen = client_read_sslbuffer(IOBuf, timeout);
if (rlen < 1) {
if (len > 0 && (*(pLF - 1) == '\r') )
len --;
StrBufAppendBufPlain(Line, pos, len, 0);
- if (pLF + 1 >= ChrPtr(IOBuf) + StrLength(IOBuf))
- {
+ if (pLF + 1 >= ChrPtr(IOBuf) + StrLength(IOBuf)) {
FlushStrBuf(IOBuf);
}
- else
+ else {
*Pos = pLF + 1;
+ }
return StrLength(Line);
}
return -1;
CC->RecvBuf.ReadWritePointer = ChrPtr(CC->RecvBuf.Buf) + RemainRead;
break;
}
- StrBufAppendBuf(Target, CC->RecvBuf.Buf, 0); // todo: Buf > bytes?
+ StrBufAppendBuf(Target, CC->RecvBuf.Buf, 0);
FlushStrBuf(CC->RecvBuf.Buf);
}
else {
}
-// CtdlStartTLS() starts SSL/TLS encryption for the current session. It
+// CtdlStartTLS() starts TLS encryption for the current session. It
// must be supplied with pre-generated strings for responses of "ok," "no
// support for TLS," and "error" so that we can use this in any protocol.
void CtdlStartTLS(char *ok_response, char *nosup_response, char *error_response) {
// Can't notify the client of an error here; they will
// discover the problem at the SSL layer and should
// revert to unencrypted communications.
- long errval;
- char error_string[128];
-
- errval = SSL_get_error(CC->ssl, retval);
- syslog(LOG_ERR, "crypto: SSL_accept failed: retval=%d, errval=%ld, err=%s",
- retval,
- errval,
- ERR_error_string(errval, error_string)
- );
+ syslog(LOG_ERR, "crypto: SSL_accept failed: %s", ERR_reason_error_string(ERR_get_error()));
SSL_free(CC->ssl);
CC->ssl = NULL;
return;
}
bits = SSL_CIPHER_get_bits(SSL_get_current_cipher(CC->ssl), &alg_bits);
- syslog(LOG_INFO, "crypto: SSL/TLS using %s on %s (%d of %d bits)",
+ syslog(LOG_INFO, "crypto: TLS using %s on %s (%d of %d bits)",
SSL_CIPHER_get_name(SSL_get_current_cipher(CC->ssl)),
SSL_CIPHER_get_version(SSL_get_current_cipher(CC->ssl)),
bits, alg_bits
}
-// cmd_stls() starts SSL/TLS encryption for the current session
+// cmd_stls() starts TLS encryption for the current session
void cmd_stls(char *params) {
char ok_response[SIZ];
char nosup_response[SIZ];
cprintf("%d Session is not encrypted.\n", ERROR);
return;
}
- bits =
- SSL_CIPHER_get_bits(SSL_get_current_cipher(CC->ssl),
- &alg_bits);
+ bits = SSL_CIPHER_get_bits(SSL_get_current_cipher(CC->ssl), &alg_bits);
cprintf("%d %s|%s|%d|%d\n", CIT_OK,
SSL_CIPHER_get_version(SSL_get_current_cipher(CC->ssl)),
SSL_CIPHER_get_name(SSL_get_current_cipher(CC->ssl)),
// endtls() shuts down the TLS connection
-//
-// WARNING: This may make your session vulnerable to a known plaintext
-// attack in the current implmentation.
void endtls(void) {
if (!CC->ssl) {
CC->redirect_ssl = 0;
return;
}
- syslog(LOG_INFO, "crypto: ending SSL/TLS");
+ syslog(LOG_INFO, "crypto: ending TLS on this session");
SSL_shutdown(CC->ssl);
SSL_free(CC->ssl);
CC->ssl = NULL;
projects / citadel.git / blobdiff